Cookie-based

Browser sends cookies during handshake. Works with existing session cookies. Requires same-origin or SameSite=Lax.

Advertisement

Query-string token

const ws = new WebSocket('wss://example.com/ws?token=' + jwt);

Simple. Downside: tokens land in server logs. Use short-lived tokens.

Advertisement

Subprotocol token

new WebSocket(url, ['token.' + jwt]);

Token in Sec-WebSocket-Protocol. Not logged like query strings. Bit of a hack — that field wasn't designed for auth.